Towards a Just-War Ethic for Cyber War: Defining Cyber Warfare

In Catholic circles, or even in the broader Christian community, there has been virtually no discussion of the ethics of cyber warfare. Does the Christian just-war tradition have anything to say about cyber warfare? Before any such discussion can take place, however, it is crucial to have an understanding of what we even mean by cyber warfare.

The Russian hacking of the DNC and John Podesta’s emails has helped foster interest in and concern about the issue of cyber security, an interest that had already been growing as a result of several other prominent cyber attacks, such as the Stuxnet virus attack on Iran’s Natanz nuclear reactor in 2009-10, the Chinese hack of the U.S. Office of Personnel Management’s records in 2014, and the North Korean hack of Sony Pictures the same year. These concerns about cyber security have led both the cyber media and the scholarly community to take more seriously the possibility of cyber warfare. In Catholic circles, or even in the broader Christian community, there has been virtually no discussion of the ethics of cyber warfare. Does the Christian just-war tradition have anything to say about cyber warfare?

Before any such discussion can take place, however, it is crucial to have an understanding of what we even mean by cyber warfare. As I have previously noted, the heated rhetoric describing the Russian hacks leading up to the 2016 elections as an “act of war” is dangerous because it encourages an escalation of conflict and even the use of armed force. As serious as Russia’s interference in the election was, it was an act of espionage and not war. The terms “cyber war” or “cyber warfare,” to be useful at all, must refer to types of acts that in some way could be considered true acts of war.

Before proceeding, it is worth considering that “war” itself is a word we use without necessarily having a clear sense of what it is. The Israeli legal scholar Yoram Dinstein defines war as: “a hostile interaction between two or more States, either . . . produced by a declaration of war [or] generated by actual use of armed force. which must be comprehensive on the part of at least one party to the conflict.” Although this definition is somewhat general, it has some important elements, as well will see.

Likewise, before defining cyber warfare, it is important to define the broader term “cyber attack.” Martin C. Libicki understands a cyber attack as “an operation that uses digital information (strings of zeroes and ones) to interfere with an information system’s operations and thereby produce bad information and, in some cases, bad decisions.” A cyber attack can cause the corruption of information, the disruption of system functioning, or even the damaging or destruction of a physical system.

A cyber attack can be distinguished from two other kinds of cyber actions: exploitation or cyber espionage, and cyber defense. Cyber espionage refers to the penetration of a system to gain information about the system or to get access to the data stored on the system; it can be carried out for its own sake or as preparation for a cyber attack or for cyber defense. Cyber defense refers to the effort to detect and prevent cyber espionage and cyber attacks aimed at one’s own systems.

Both cyber espionage and cyber attacks can be used for criminal purposes. Brandon Valeriano and Ryan Maness reserve the term “cyber conflict” to distinguish cyber attacks carried out for political purposes from cyber crime. Cyber conflict can be carried out both by states and by non-state actors. The key question for defining cyber warfare, then, is under what conditions does cyber conflict rise to the level of warfare.

The phenomenon that Libicki refers to as “operational cyber warfare” certainly ought to classify under any definition of cyber warfare. This refers to cyber attacks carried out in conjunction with kinetic warfare, the “use of armed force” referenced in Dinstein’s definition above. For example, on the battlefield, militaries can disrupt enemies’ weapons networks, insert false messages into enemy communication systems, or feed false information to tracking systems.

The more difficult question arises concerning what Libicki calls “strategic cyber warfare”, which refers to cyber attacks carried out separately from kinetic warfare. When should a cyber attack carried out on its own, or in conjunction with other cyber attacks, be considered an act of war? One thing to consider is that cyber attacks are capable of inflicting a range of damage. A distributed denial of service (DDoS) attack, for example, in which an individual harnesses a number of computers together into a “botnet” to overwhelm a target site with traffic, does no lasting damage to the victim’s system. Other forms of cyber attack, such as hacking flight control systems to cause multiple plane crashes or a hack causing damage to nuclear reactors, could be catastrophic. A definition of cyber warfare ought to take this range into account.

Some definitions of cyber warfare limit the term to those cyber attacks that can potentially lead to the death of enemies, seeking a close analogy with kinetic warfare. There are at least two problems with this definition, however. For one, as Dinstein’s definition of war indicates, a state of war can exist without blood being spilled, and even in kinetic warfare there are acts of war that do not lead to casualties. Second, there are acts of violence that are not acts of war because they lack political motivations.

A second approach to defining cyber warfare considers whether a cyber attack would be an act of war if an act of kinetic warfare caused similar damage and was carried out with similar motivations. This approach eschews precise definitions and instead argues by analogy. This is the approach of the Tallinn Manual, a document produced a group of scholars sponsored by the NATO Cooperative Cyber Defence Centre of Excellence in Estonia. The Tallinn Manual concludes that a cyber attack should be considered cyber warfare if it causes physical damage comparable to a kinetic attack. For example, a cyber attack capable of doing significant damage to a nation’s electrical grid could be classified as an act of war since a kinetic attack with similar effects would likewise be an act of war.

This approach is helpful, but is also possible that there are forms of cyber attack that it would make sense to classify as cyber warfare even if they are not comparable to acts of kinetic warfare. For example, if state hackers were able to cause permanent damage to the records of major banks across the United States, could that be considered a form of cyber warfare, or is it better described as some other form of attack? This would cause significant damage to American social life and hamper the ability of the U.S. government to function, but the damage would not be physical in a straightforward way. Most definitions of cyber warfare limit themselves to attacks that cause physical damage of some kind, which can more easily be classified as acts of armed force.

In conclusion, we can tentatively define cyber warfare as cyber attacks carried out for political motives, either in conjunction with kinetic warfare, or separately and in such a way that the damage is comparable to that potentially caused by an act of kinetic warfare, whether that damage be physical in nature or to the state’s ability to exercise authority over a sovereign territory. This definition does not even begin to assess whether Christians can participate in cyber warfare, whether they can support cyber warfare carried out on behalf of the nation, or similar ethical questions. A clear definition of cyber warfare, however, is necessary if Christian ethicists are to begin answering these questions.

Matthew A. Shadle is Associate Professor of Theology and Religious Studies at Marymount University in Arlington, Virginia. He has published Interrupting Capitalism: Catholic Social Thought and the Economy (Oxford, 2018) and The Origins of War: A Catholic Perspective (Georgetown, 2011).

Interesting take, but would war not need to include physical violence of some sort? There needs to be a serious wrong done, and I am not so sure a serious wrong can be done without physical destruction of life or property.

Thank you for your reply, and thanks for your scholarly work in this field, I have learned a lot from it. I am sympathetic to your point that an act of cyber warfare would have to involve physical destruction of some kind. But I left it as an open question because I wonder if our increasing reliance on the “virtual” storage of data makes possible forms of damage that would be catastrophic even if they do not involve physical destruction, and that simply have no analogue in previous history. On the other hand, I think we have to be careful about what we mean by the “physical” because everything “virtual” has a physical basis of some kind or another.